How Europe’s New Privacy Rules Favor Google and Facebook

Big tech companies gain while smaller online ad firms are squeezed under the European Union’s GDPR, which takes effect in May.

When the European Union’s justice commissioner traveled to California to meet with Google and Facebook last fall, she was expecting to get an earful from executives worried about the Continent’s sweeping new privacy law.

Instead, she realized they already had the situation under control. “They were more relaxed, and I became more nervous,” said the EU official, Věra Jourová. “They have the money, an army of lawyers, an army of technicians and so on.”

Brussels wants its new General Data Protection Regulation, or GDPR, to stop tech giants and their partners from pressuring consumers to relinquish control of their data in exchange for services. The EU would like to set an example for legislation around the world. But some of the restrictions are having an unintended consequence: reinforcing the duopoly of Facebook and Alphabet-Google.

On May 25, the EU will begin enforcing the new rules, which in many cases require companies to obtain affirmative consent to use European residents’ personal information. The change has sent shudders through the digital-advertising sector, from online publishers to the analytics firms, data brokers and buying platforms that use personal data to aim ads at individuals in real time.

Google and Facebook, however, are leveraging their vast scale and sophistication as they seek consent from the hundreds of millions of European users who visit their services each day. They are applying a relatively strict interpretation of the new law, competitors say—setting an industry standard that is hard for smaller firms to meet.